I spent some time this week trying to get public key authentication to work with SSH so that when I used TortoiseSVN, I wouldn’t have to keep typing in my password. I generated a key, installed the public key on the repository server – but nothing. SSH connections still asked for a password. These are the problems I had on a Windows 7 machine running PuTTY, Pageant and the aforementioned TortoiseSVN, connecting to both OpenSSH and commercial SSH servers running some flavor of UNIX.<\/p>\n
1. Generate a keypair.<\/strong> 2. Install the public key<\/strong> This breaks down to the key type (RSA\/DSA), the key itself, and the comment field.<\/p>\n One important thing<\/strong> – newer versions of the OpenSSH server daemon check the permissions of the authorized_keys\/authorized_keys2 files to ensure that they are not<\/em> world or group writable and will quietly fail if it is! I spent a long time trying to figure this out before a sysadmin put me straight.<\/p>\n The commercial version of SSH has a file ~\/.ssh2\/authorization which lists the accepted key files, each line looking something like:<\/p>\n where keyFile.pub is a text file containing your public key. This was generated by PuTTYgen when you hit the “Save public key” button and should look like:<\/p>\n Where I work, my home directory is on a central file server and is automatically linked to by the other servers on the network, so I have my public key in all three locations to handle the different versions of SSH servers on the network.<\/p>\n 3. Connect with your key.<\/strong> 4. Setup Pageant to handle your private keys. (optional)<\/strong> That’s it! At this point you should be able to connect without password authentication! If you’re having problems, you may want to try setting up a connection in PuTTY where you give it the path to your private key directly and see if that works.<\/p>\n
\nIf you’re using PuTTY, you can use the utility PuTTYGen to generate a keypair. You want to generate either an SSH-2 RSA or an SSH-2 DSA keypair and definitely use a good passphrase! I would also recommend putting in a descriptive key comment which includes your name and the generation date and even if it’s an RSA or DSA key. Something like userName-rsa-20110512. The keypair consists of a private key and a public key. Save both files and also copy the public key in the box called “Public key for pasting into OpenSSH authorized_keys file.” The private key you should keep safe on your client machine. The public key should be installed on the server in one of three places.<\/p>\n
\nNewer versions of OpenSSH want your key to be in a file ~\/.ssh\/authorized_keys. Older versions had two files, ~\/.ssh\/authorized_keys for SSH1 connections and ~\/.ssh\/authorized_keys2 for SSH2 connections. Basically just copy and paste your public key into these files. If you didn’t copy it from Pageant as described in step 1, you can load your private key in Pageant and it will regenerate the public key for you to copy. Only public keys you want to have access should be in the authorized_keys\/authorized_keys2 files! Each key in the file looks something like:<\/p>\nssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBeIywsWQFXXoWsQG7aNKkt4AVyjkt4\/c7yCudH5sMUrsnfpBxGJn1SjNaZorCnZm4j7k+gGw2QFJBrJFsWLAqZwceanHQlid9xmKB9wTN45yzfqFuKrYwpByT9npX2MMC7RjOUm7ccPH3gg1KYn2kPIv\/EGsSHNwGYG56EKBZaxQ== userName-rsa-20110512<\/code><\/p><\/blockquote>\nKey keyFile.pub<\/code><\/p><\/blockquote>\n---- BEGIN SSH2 PUBLIC KEY ----
\nComment: \"userName-rsa-20110512\"
\nAAAAB3NzaC1yc2EAAAABJQAAAIBeIywsWQFXXoWsQG7aNKkt4AVyjkt4\/c7yCudH
\n5sMUrsnfpBxGJn1SjNaZorCnZm4j7k+gGw2QFJBrJFsWLAqZwceanHQlid9xmKB9
\nwTN45yzfqFuKrYwpByT9npX2MMC7RjOUm7ccPH3gg1KYn2kPIv\/EGsSHNwGYG56E
\nKBZaxQ==
\n---- END SSH2 PUBLIC KEY ----<\/code><\/p><\/blockquote>\n
\nIn your PuTTY connection settings under Connection > SSH > Auth, you want to specify the location of your private key. If you’re going to be using Pageant, you’ll instead want to check the box “Attempt authentication using Pageant.”<\/p>\n
\nPageant is a utility that manages your private keys so you don’t have to specify which key is for what connection. Also, if your private key is protected by a passphrase, you only have to enter it once and Pageant will store the decoded key. This is pretty straight forward – just run Pageant and add your private key(s).<\/p>\n